DEV Community

CRUD5th-273-
CRUD5th-273-

Posted on

Automating RBAC HTML Reports to PR Comments: Review-Driven Security in GitHub Actions

Keeping track of access control changes is hard — unless your CI does it for you.

This guide shows how to:

  • Generate a Role × Field matrix in HTML
  • Detect diffs between dev and prod RBAC
  • Auto-post a visual report as a comment on the related GitHub Pull Request

No more guessing who can access what — reviewers get it inline and real-time.


1. Output Format: HTML Report

Use your rbac-matrix.js or similar script to generate:

node rbac-matrix.js metadata-dev/ > rbac-dev.csv
node rbac-matrix.js metadata-prod/ > rbac-prod.csv
node diff-rbac.js rbac-dev.csv rbac-prod.csv > rbac-diff.html
Enter fullscreen mode Exit fullscreen mode

Example table (simplified):

<table>
  <thead><tr><th>Role</th><th>Table</th><th>Field</th><th>Diff</th></tr></thead>
  <tbody>
    <tr><td>user</td><td>invoices</td><td>amount</td><td style="color: red;">SELECT: Removed</td></tr>
    <tr><td>admin</td><td>logs</td><td>ip_address</td><td style="color: green;">INSERT: Added</td></tr>
  </tbody>
</table>
Enter fullscreen mode Exit fullscreen mode

Wrap this with:

<details><summary>RBAC Drift Report</summary>
...table here...
</details>
Enter fullscreen mode Exit fullscreen mode

2. GitHub Actions Workflow

Step 1: Prepare workflow file .github/workflows/rbac-report.yml

name: RBAC Diff and PR Comment

on:
  pull_request:
    paths:
      - 'metadata/**'

jobs:
  rbac-diff:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Setup Node
        uses: actions/setup-node@v3
        with:
          node-version: '18'

      - name: Install Deps
        run: npm install

      - name: Generate RBAC Diff Report
        run: |
          node rbac-matrix.js metadata-dev/ > rbac-dev.csv
          node rbac-matrix.js metadata-prod/ > rbac-prod.csv
          node diff-rbac.js rbac-dev.csv rbac-prod.csv > rbac-diff.html

      - name: Post Comment
        uses: peter-evans/create-or-update-comment@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          issue-number: ${{ github.event.pull_request.number }}
          body-path: ./rbac-diff.html
          edit-mode: replace
Enter fullscreen mode Exit fullscreen mode

💡 Tip: edit-mode: replace ensures one comment is reused, not spammed on every run.


3. Optional: Format HTML as Markdown for Better PR UX

Instead of full HTML table, convert to GitHub-flavored Markdown table in diff-rbac.js:

| Role | Table | Field | Diff |
|------|-------|--------|------|
| user | invoices | amount | ~~SELECT~~ ❌ |
| admin | logs | ip_address | ✅ INSERT |
Enter fullscreen mode Exit fullscreen mode

Then use body-path: rbac-diff.md


4. Result in PR

When a contributor changes Hasura metadata in a PR:

✅ RBAC diff is generated

✅ Visual diff table is posted as PR comment

✅ Reviewers can approve/reject RBAC changes inline


Final Thoughts

RBAC is infrastructure. Treat it like code.

When security drifts silently, CI must speak loudly.

With RBAC visual bots in place, your team never misses a permission gap again.

Next:

  • Slack alerts on critical diffs
  • Diff severity heatmaps
  • RBAC policy-as-code enforcement gate

Comment the matrix. Review the diff. Secure the graph.

Top comments (0)